For Public Release 2009 January 14 1600 UTC (GMT)
+---------------------------------------------------------------------

Summary

IronPort PXE Encryption is an e-mail encryption solution that is
designed to secure e-mail communications without the need for a
Public Key Infrastructure (PKI) or special agents on receiving
systems. When an e-mail message is targeted for encryption, the PXE
encryption engine on an IronPort e-mail gateway encrypts the original
e-mail message as an HTML file and attaches it to a notification
e-mail message that is sent to the recipient. The per-message key
used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the
Cisco Registered Envelope Service, which is a Cisco-managed software
service.

The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account.

IronPort Encryption Appliance devices contain two vulnerabilities
that could allow unauthorized users to gain access to the IronPort
Encryption Appliance administration interface and modify other users'
settings. These vulnerabilities do not affect Cisco Registered
Envelope Service users.

Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for the vulnerabilities
that are described in this advisory.

The version of software that is running on an IronPort Encryption
Appliance is located on the About page of the IronPort Encryption
Appliance administration interface.

Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.

Products Confirmed Not Vulnerable
+--------------------------------

IronPort C, M and S-Series appliances are not affected by these
vulnerabilities. Although C-Series appliances can be configured to
use a local IronPort Encryption Appliance for per-message key
retention, the C-Series appliances are not vulnerable. The Cisco
Registered Envelope Service is not vulnerable.

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details

Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only.

Individual PXE Encryption users are vulnerable to two message privacy
vulnerabilities that could allow an attacker to gain access to
sensitive information. All the vulnerabilities require an attacker to
first intercept a secure e-mail message as a condition for successful
exploitation. Attackers can obtain secure e-mail messages by
monitoring a network or a compromised user e-mail account.

The IronPort Encryption Appliance contains a logic error that could
allow an attacker to obtain the unique, per-message decryption key
that is used to protect the content of an intercepted secure e-mail
message without user interaction. Using the decryption key, an
attacker could decrypt the contents of the secure e-mail message.
This vulnerability is documented in IronPort bug 8062 and has been
assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0053.
By modifying the contents of intercepted secure e-mail messages or by
forging a close copy of the e-mail message, it may be possible for an
attacker to convince a user to view a modified secure e-mail message
and then cause the exposure of the user's credentials and message
content. Please see the Workarounds section for more information on
mitigations available to reduce exposure to these phishing-style
attacks. This vulnerability is documented in IronPort bug 8149 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0054.

The administration interface of IronPort Encryption Appliance devices
contains a cross-site request forgery (CSRF) vulnerability that could
allow an attacker to modify a user's IronPort Encryption Appliance
preferences, including their user name and personal security pass
phrase, if the user is logged into the IronPort Encryption Appliance
administration interface. Exploitation of the vulnerability will not
allow an attacker to change a user's password. This vulnerability is
documented in IronPort bug 5806 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055.

The administration interface of IronPort Encryption Appliance devices
also contains a cross-site request forgery (CSRF) vulnerability that
could allow an attacker to execute a command and modify a user's
IronPort Encryption Appliance preferences, including their user name
and personal security pass phrase, under certain circumstances when a
user logs out of the IronPort Encryption Appliance administration
interface. Exploitation of the vulnerability will not allow an
attacker to change a user's password. This vulnerability is
documented in IronPort bug 6403 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056.

Vulnerability Scoring Details

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Successful exploitation of these vulnerabilities could allow an
attacker to obtain user credentials and view the contents of
intercepted secure e-mail messages, which could result in the
disclosure of sensitive information.

Successful exploitation of these vulnerabilities could allow an
attacker to access user accounts on an IronPort Encryption Appliance
device, which could result in the modification of user preferences.

Software Versions and Fixes

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

Workarounds

There are no workarounds for the vulnerabilities that are described
in this advisory.

There are mitigations available to help prevent exploitation of the
PXE Encryption phishing-style vulnerability. Phishing attacks can be
greatly reduced if DomainKeys Identified Mail (DKIM) and Sender
Policy Framework (SPF) are implemented on IronPort e-mail gateways to
help ensure message integrity and source origin. Additionally, the
PXE Encryption solution contains an anti-phishing Secure Pass Phrase
feature to ensure that secure notification e-mail messages are valid.
This feature is enabled by recipients when configuring their PXE user
profile. Cisco has released a best practices document that describes
several techniques to mitigate against the phishing-style attacks
that is available at the following link:

Cisco has released free software updates that address these
vulnerabilities. The affected products in this advisory are directly
supported by IronPort, and not via the Cisco TAC organization.
Customers should contact IronPort technical support at the link below
to obtain software fixes. IronPort technical support will assist
customers in determining the correct fixes and installation
procedures. Customers should direct all warranty questions to
IronPort technical support.

Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.

All other vulnerabilities were discovered by Cisco or reported by
customers.

Status of this Notice: FINAL

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

cust-security-announce@cisco.com

first-bulletins@lists.first.org

bugtraq@securityfocus.com

vulnwatch@vulnwatch.org

cisco@spot.colorado.edu

cisco-nsp@puck.nether.net

full-disclosure@lists.grok.org.uk

comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.